Re: Sync rsso users between 2 Fortigate clusters
Best practice for RSSO (RADIUS based Single Sign On) is to send accounting data from NAS, not NPS.
Usual practice is to send accounting from Network Access Server/Service, therefore from AP, WLC or Firewall.
Because those are the entry points on border and those do have (should have) complete data.
NPS, Network Policy Server/Service, might not have complete data, for example:
- NAS is WLC, and does authenticate via RADIUS against NPS
- but NPS is not the one assigning IP, but NAS uses 3rd party DHCP
Above mentioned scenario is not uncommon.
And this way NPS do not know which IP was assigned through NAS from DHCP.
Therefore accounting for RSSO from NPS might not be ideal. Then set it the way that accounting will work this way ...
- WLC will send Access-Request to NPS which does authenticate user
- NPS will return back Access-Accept _WITH_ access privileges (selected group tagging attribute for FGT) to WLC (NAS)
- WLC will assign IP (maybe with help from 3rd party DHCP)
- WLC will then send Accounting-Request _WITH_ user group tagging data resent from NPS, plus Framed-IP-Address
- this way WLC will be able to send complete data to RSSO handling point, and it does not matter if it's FGT or Collector Agent